[strongSwan] ocsp in ikev2

Sriram sriram.ec at gmail.com
Fri Jan 17 06:45:04 CET 2014

Hello everyone,

I am trying to establish ipsec sessions using ikev2 between two nodes with
ipaddresses and I m using strongswan-5.1.1.
I could establish the sessions using certificates with no issues. Now I
want to make use of ocsp feature supported in ikev2, for that purpose I
added below section in ipsec.conf of both the nodes.

ca strongswan-ca

Then while generating end entity certificates I edited openssl.cnf to
include the below line,
authorityInfoAccess = OCSP;URI:
Same thing was reflected in the end entity certificates.

Also I started ocsp server in with openssl command.
openssl ocsp -index index.txt -CA /etc/ipsec.d/cacerts/signing-ca-1.crt
-rsigner /etc/ipsec.d/cacerts/signing-ca-1.crt -rkey
./CondorSigningCA1/signing-ca-1.key -port 8880

When I tested this, I saw peers exchanging AuthorityInfoAccess as part of
certificate data extensions. But I didnt any exchanges happening between
ocsp server and peer to confirm the validity of certificates. I am
certainly missing some configuration. I intend to make the ca as
certificate validation authority.

 Can any one suggest, what could've gone wrong. Your help in this regard is

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140117/6261baea/attachment.html>

More information about the Users mailing list